使用 VBA 脚本解锁 VBA 密码

Glen Alfaro 2022年5月18日
使用 VBA 脚本解锁 VBA 密码

编辑或修改 VBA 脚本对于使其功能更好和最新是必不可少的。但是,你需要编辑的 VBA 有密码并且你不知道该怎么做的时候到了。

本文将演示如何使用 VBA 代码解锁忘记或未知的 VBA 脚本密码。

VBA 密码简述逻辑

  1. 代码会调用一个系统函数来创建一个输入密码的对话框。
  2. 如果密码正确,函数返回 1。如果没有,将返回 0
  3. 密码对话框关闭后,系统会期待返回值。
  4. 如果返回值为 1,系统将确认这是一个正确的密码。因此 VBA 项目将被解锁。

下面的代码将演示如何将 Password Checker 函数的内存交换为用户定义的函数,该函数在调用时将返回 1

Option Explicit

Private Const PAGE_EXECUTE_READWRITE = &H40

Private Declare PtrSafe Function VirtualProtect Lib "kernel32" (lpAddress As LPtr, _
ByVal dwSize As LPtr, ByVal flNewProtect As LPtr, lpflOldProtect As LPtr) As LPtr

Private Declare PtrSafe Function GetModuleHandleA Lib "kernel32" (ByVal lpModuleName As String) As LPtr

Private Declare PtrSafe Function GetProcAddress Lib "kernel32" (ByVal hModule As LPtr, _
ByVal lpProcName As String) As LPtr

Private Declare PtrSafe Sub MoveMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As LPtr, Source As LPtr, ByVal Length As LPtr)

Private Declare PtrSafe Function DialogBoxParam Lib "user32" Alias "DialogBoxParamA" (ByVal hInstance As LPtr, _
ByVal pTemplateName As LPtr, ByVal hWndParent As LPtr,ByVal lpDialogFunc As LPtr, ByVal dwInitParam As LPtr) As Integer

Dim HBytes(0 To 5) As Byte
Dim OBytes(0 To 5) As Byte
Dim pFunc As LPtr
Dim Flag As Boolean

Private Function GetPtr(ByVal Value As LPtr) As LPtr
    GetPtr = Value
End Function

Public Sub RecoverBytes()
    If Flag Then MoveMemory ByVal pFunc, ByVal VarPtr(OriginBytes(0)), 6
End Sub

Public Function Hook() As Boolean
    Dim TmpBytes(0 To 5) As Byte
    Dim p As LPtr
    Dim OriginProtect As LPtr

    Hook = False

    pFunc = GetProcAddress(GetModuleHandleA("user32.dll"), "DialogBoxParamA")


    If VirtualProtect(ByVal pFunc, 6, PAGE_EXECUTE_READWRITE, OriginProtect) <> 0 Then

        MoveMemory ByVal VarPtr(TmpBytes(0)), ByVal pFunc, 6
        If TmpBytes(0) <> &H68 Then

            MoveMemory ByVal VarPtr(OriginBytes(0)), ByVal pFunc, 6

            p = GetPtr(AddressOf MyDialogBoxParam)

            HookBytes(0) = &H68
            MoveMemory ByVal VarPtr(HookBytes(1)), ByVal VarPtr(p), 4
            HookBytes(5) = &HC3

            MoveMemory ByVal pFunc, ByVal VarPtr(HookBytes(0)), 6
            Flag = True
            Hook = True
        End If
    End If
End Function

Private Function MyDialogBoxParam(ByVal hInstance As LPtr, _
ByVal pTemplateName As LPtr, ByVal hWndParent As LPtr, _
ByVal lpDialogFunc As LPtr, ByVal dwInitParam As LPtr) As Integer

    If pTemplateName = 4070 Then
        MyDialogBoxParam = 1
    Else
        RecoverBytes
        MyDialogBoxParam = DialogBoxParam(hInstance, pTemplateName, _
                   hWndParent, lpDialogFunc, dwInitParam)
        Hook
    End If
End Function

Sub UnprotectedVBACode()
    'Run this subroutine to unlock the VBA project.
    If Hook Then
        Debug.print ("VBA Project was cracked.")
    End If
End Sub

vba 解锁密码